Thursday, July 19, 2018

OCSEC-2018 report released

The 2017-18 annual report of the Office of the CSE Commissioner (OCSEC) was made public on July 18th.

To sum it up in a sentence, CSE didn't do anything egregiously wrong in the last year, at least as far as OCSEC is concerned. So, good news there.

Of course, as a result it's pretty much a certainty that this report will soon join its predecessors lost in the depths of obscurity. That's a shame, because as always, there's some information worth salvaging from it.

Unlike the 2016-17 report, which I only got around to revisiting in the past two months, I'll try to explore this one over the next few days and weeks.

Monday, July 09, 2018

OCSEC-2017, part II: The circumstances are always exceptional

Welcome to stage two of our expedition to the wreck of the OCSEC 2016-2017 annual report, as we return to the site of the report's disappearance to see what else of interest may be down there. (See stage one here.)

Ooh, here's a neat little artefact! CSE has been spying on citizens or other residents of its Five Eyes allies.

For decades there has been a persistent rumour among the more conspiracy-minded of spy agency watchers that the Five Eyes agencies evade the legal limits placed on spying on their own citizens and within their own borders by getting their partner agencies to do this spying for them. And for just as long, those agencies have been dismissing that claim as a load of paranoid nonsense. Which, to be fair, it mostly is.

Twenty years ago the first CSE Commissioner addressed this concern in his 1997-98 annual report, assuring his readers that
CSE undertakes explicitly to treat the communications of Second Party nationals in a manner consistent with the procedures issued by the agency of that country, provided such procedures do not contravene the laws of Canada. This is a reciprocal undertaking to ensure that the Second Parties do not target each others’ communications or circumvent their own legislation by targeting communications at each others’ behest.
In more recent years, however, those agencies and their watchdogs have occasionally conceded, grudgingly, that, OK, yes, once in a while the allies do direct their surveillance capabilities at one another, and that in some of those cases the information thus collected is in fact passed on to the ally that was targeted.

For example, in his 2013-14 annual report (page 24) the current CSE Commissioner acknowledged that "each partner is an agency of a sovereign nation that may derogate from the agreements and resolutions, if it is judged necessary for their respective national interests." He went on to reassure his readers (page 25), however, that CSE
policies and procedures state that collection activities are not to be directed at second party nationals located anywhere, or against anyone located in second party territory. Document review, discussions in interviews and written answers suggest that [CSE] conducts its foreign signals intelligence activities in a manner that is consistent with the agreements it has with its second party partners to respect the privacy of the partners’ citizens, and to follow the partners’ policies in this regard.
In the 2015-16 report, a little bit more was revealed about how our Second Party partners don't consider themselves quite as entirely bound by this rule as our own upstanding CSE folks do. As the Commissioner noted (page 16), in "exceptional circumstances, one of CSE’s partners may acquire and report on information about a Canadian or a person in Canada." He then explained (page 17) that these exceptional circumstances were now occurring regularly enough that CSE had established a special mechanism to transfer the material — which probably mostly concerned Canadians involved in extremist-related activities in Syria and elsewhere — from the allied agencies that had collected it onward to CSIS.

This year it was CSE's turn in the spotlight (pages 16-17):
CSE policies and procedures state that collection activities are not to be directed at Five Eyes nationals located anywhere, or against anyone located in Five Eyes territory. Nevertheless, it is recognized that each of the Five Eyes partners is an agency of a sovereign nation that may deviate from these agreements if it is deemed necessary for their respective national interests. Accordingly, in such exceptional circumstances it may become necessary for CSE to acquire information involving Five Eyes nationals or a foreigner on Five Eyes territory. [emphasis added]
What followed should probably be described as exceptionally unsurprising. It turns out that circumstances have once again been exceptional and CSE has indeed been targeting Five Eyes nationals and/or territory.

In retrospect, it is tempting to conclude that the Commissioners' 1997-98 and 2013-14 statements were exceptionally disingenuous. But it is also possible that agency practices have been evolving at a rather rapid pace. The 2016-17 report notes (page 18) that "In 2015, CSE updated its policy [with respect to such monitoring] to more effectively respond to operational requirements and emergencies, and formalized certain existing practices."

In any case, if there's a Disingenuity Prize to be awarded, my vote would have go to John Forster, who as Chief of CSE assured the Senate in November 2012 that "I would no more target an American than they would a Canadian." This masterpiece of Schrödingerian superposition managed to be both exceptionally misleading and completely truthful at the same time. You have to admire the beauty of that, even as you remind yourself never to take a word these guys say at face value.

Still, we work with the information that we can dredge up, so back to the 2016-17 report.

In what was the first direct review undertaken of such targeting, the Commissioner looked at "all CSE-initiated activities involving Five Eyes nationals or a foreigner on Five Eyes territory" during the 20-month period from January 2015 to August 2016, amounting to a total of 11 "cases".

Eleven is a very small number, and while it is always possible that these 11 cases involved significantly more than 11 individuals, it's likely that the overall total was pretty small.

Still, this is not "incidental" collection of information obtained in the course of monitoring non-Five Eyes targets that we're talking about here: this is the deliberate targeting of allied nationals and/or territory, so even if the numbers are small it's potentially an explosive topic.

Given that possibility, before the Toddler in Chief fires up his Twitter account let's quickly note that this is not about the Canadian Deep State spying on Donald J. Trump. As sensible as it might be for the Canadian government to seek whatever advance warning it can get of the latest absurdities percolating in the Oval Office, a) the activities described in this report took place ca. 5 to 25 months before Trump took office, and b) there is not the slightest chance that the CSE Commissioner would have been permitted to reveal them if they involved anything liable to prompt awkward exchanges with the United States or other Five Eyes allies.

The Commissioner chooses his own topics to review and report, but it is the government that decides what information is declassified, so if anything truly embarrassing had been going on, people like me would still be wondering what the Commissioner meant by "certain activities" undertaken by CSE, not discussing the details of the targeting of Five Eyes partners. It is a safe bet that the U.S. and the other Five Eyes allies were well aware of the activities reported in this document.

Extremist Travellers phone home?

So what are we looking at here? Almost certainly not the Five Eyes partners spying on each other's political leaders or trade negotiators. In fact, for once the CSE Commissioner gives us a pretty clear indication (page 16): whereas last year's review examined the procedures used when CSE's partners "acquire and report information about Canadians located outside of Canada, for example, because they are known to be engaging in or supporting terrorist activities," this year's review looks at "the exceptional circumstances where CSE acquired information and reported on similar activities involving Five Eyes nationals."

With Canada actively involved in recent years in the battle against ISIS, and with all of the partners keenly interested in the activities of their nationals who have gone abroad to fight for that or other extremist causes and who may be seeking to radicalize others still at home, it seems that there is now tacit agreement among the partners that it's OK to target the nationals of the others when you encounter them in the course of counter-terrorism investigations.

If this is indeed what's going on, it may well be a reasonable exception to make under these specific, limited circumstances. But it should also raise some warning flags.

What is being done with the information collected by and shared among those allies, and perhaps beyond them, remains an issue. It is one thing to kill someone who is clearly part of an enemy armed force in an active theatre of war, even though they may be a citizen of your country. But what if, freed from past pledges not to monitor partner nationals, the U.S. targets a Canadian thought to be radicalizing other Westerners who is hiding out in Libya, where Canada is not at war but U.S. drone strikes are actively killing extremist supporters? Do we have an official position on that? What about the use of such information for arrest and subsequent torture? Presumably it is not the view of the government that it's open season on all Canadian "extremists" — convicted by spy agencies, not by courts — once they are outside our borders.

In 2015, Canada resumed the practice of requesting Five Eyes assistance when Canadians travelling outside Canada are monitored under CSIS warrants, even though this identifies those Canadians to our partners, who may then choose to do their own monitoring of those individuals for their own purposes, be they intelligence collection, rendition, or death. The Commissioner made a nod toward these concerns on page 18 of his report:
While not directly related to this review, the Commissioner again encouraged the Minister to address an outstanding July 2013 recommendation to issue a new ministerial directive to provide general direction to CSE on its foreign signals intelligence information-sharing activities with its Five Eyes partners.... The office was informed that a new ministerial directive is being developed that will explicitly acknowledge the risks associated with this type of sharing, given that CSE cannot, for reasons of sovereignty, demand that its Five Eyes partners account for any use of such information.
As of August 2017, however, no such directive had yet appeared, although a more limited directive on Avoiding Complicity in Mistreatment by Foreign Entities was signed in November 2017.

Another red flag concerns the possibility that the purposes of such monitoring may expand. Protecting against terrorism may be a reasonable and limited reason for bending the rules against monitoring each other's nationals, but how about preventing the proliferation of weapons of mass destruction? That's pretty important. How about stopping child sexual exploitation? Or disrupting the deadly fentanyl trade? Where do you stop?

Counter-intelligence? Tax evasion? Illegal downloading?

Disloyalty to the President?

To be clear, we are a long, long way from a panoptical world where surveillance laws no longer matter because the other Five Eyes agencies are spying on everybody for us. We are not even remotely close to that world, and we probably never will be. We have many safeguards against it.

But you can see it from here, far away down there at the bottom of the slope we now seem to have stepped upon. Our footing seems pretty secure way up here, but we should probably tread carefully.